Re: NT file system security

ykffc <ykffc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
For a PC that runs WindowsXp Pro and being a member of a domain, can
we really protect all the files within a certain local hard disk
folder (including its subdirectories) from unauthorized access?

Look into EFS.

If the following are requirements:
- the group of domain administrators is always (in this case) set as
one of the local pc administrator.
- As usual, we have to allow the domain adminstrator to reset the
user's domain logon password
- access by the Domain administrator group has to be restricted too.
- these files cannot be accessed remotely by any person, including the
administrators
- The local, build-in Administrator account has a password known to
the Domain Administrator
- For example, our Finance Mgr is the only person to access these
files and we want him to be the only person having the key to those
files.

My guess the following may be a solution (not too sure if this is
correct ): - while in the Domain user logon, create a folder XX with
access restricted to the domain account user of our Finance Mgr only
- at the end of a day the user must log-off from the Domain user
account
- sign-on the pc with a LOCAL user name (not Domain user name) where
he is the only person having the password
- create a special folder LL, under C:\ drive
- set security/share permission to allow access to this folder by the
finance manager local account (who is the Creator) only
- create/move those files from other directories to this folder LL
that requires top-access restriction

I think the above should give the require security

No, this won't work. Administrators can take ownership of any unencrypted
files/folders and access them. And you don't want anyone to use a local
workstation account - always domain accounts (using cached credentials when
offsite). And no data should reside on a workstation hard drive - keep it
all on the server.

but I can't
resolve one problem (actually not sure if there is such a problem),
The problem is: when he needs to go back to the domain, (which is
always the case) , can he access or copy back these files from YY
back to LL easily? If it prompts to enter a password for the local
user account, that is not a deal. But if not, is there a solution?

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
should be helpful. Be very careful. Encryption works. If you don't have a
backup of the certificate keys, and something goes awry, the data will be
inaccessible to all.


.

Relevant Pages

  • Re: Lost XP User Account Settings
    ... file ownership and permissions supersede administrator rights. ... This is not your administrator account, ... Open Explorer, go to Tools and Folder Options, on the view tab, scroll to ...
    (microsoft.public.windowsxp.accessibility)
  • Re: Windows Media player(transfering files between user accnts.)
    ... file ownership and permissions supersede administrator rights. ... This is not your administrator account, ... >> Open Explorer, go to Tools and Folder Options, on the view tab, scroll to ...
    (microsoft.public.windowsxp.basics)
  • Re: Event 1202 Warnings after Renaming Administrator Acct on SBS2003
    ... policy to rename the account although it is not really necessary or useful. ... Did I check Group Policies for references to the Administrator ... Failed to perform redirection of folder Desktop. ...
    (microsoft.public.windows.server.general)
  • Re: Deleting Multiple Users
    ... You cannot log on to the Administrator account except in safe mode. ... The Windows folder in the David folder is nothing to worry about--it is ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Help Please re. User Rights???
    ... I have the original administrator called "Administrator" ... When I go to the Folder Options, there is no "Enable Simple File Sharing" so ... In the Security tab I had the following: ... This is not your administrator account, ...
    (microsoft.public.windowsxp.accessibility)